openssl icon indicating copy to clipboard operation
openssl copied to clipboard
verified publisher icon ruby

How to test `OpenSSL::SSL::SSLContext#add_certificate`?

Open postmodern opened this issue 3 years ago • 1 comments

The documentation for SSLContext states that the #key= and #cert= writer methods are deprecated and to instead use #add_certificate. However, I noticed there does not seem to be a way to inspect the added key and cert objects? Both #key and #cert both return nil after calling #add_certificate.

Steps To Reproduce

key = OpenSSL::PKey::RSA.new(File.read('ssl.key'))
cert = OpenSSL::X509::Certificate.new(File.read('ssl.crt'))

context = OpenSSL::SSL::SSLContext.new
context.add_certificate(cert,key)
p context.key
p context.cert

Expected Results

#<OpenSSL::PKey::RSA: ...>
#<OpenSSL::X509::Certificate: ...>

Actual Results

nil
nil

Version

  • ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux]
  • openssl (default: 3.0.0)

postmodern avatar Jun 03 '22 05:06 postmodern

There's currently no way to retrieve them from SSLContext. SSLContext#add_certificate is intended to support parallel ECDSA+RSA certificates, so it will be tricky to provide the exact state.

The internal state looks like { rsa => [privkey, rsacert, ca-certs], ecdsa => [privkey, eccert, ca-certs], ... }.

Once a session is established, SSLSocket#cert can return the local certificate actually in use.

https://github.com/ruby/openssl/blob/8752d9eb27dc41d845270b6351f736501ebe0273/test/openssl/test_ssl.rb#L137-L178

rhenium avatar Jul 27 '22 06:07 rhenium